SSL Howto

From S23Wiki
Revision as of 05:18, 24 January 2012 by DrOwl (Talk | contribs)

Jump to: navigation, search

A few handy hints and tips for messing with SSL certs and keys

  • Dump the certificate
openssl x509 -in url.crt
  • Dump the certificate details (-noout supresses output of the certificate itself)
openssl x509 -in url.crt -noout -text
  • Find out the issuer of a certificate (useful for determining the chain file needed)
openssl x509 -in url.crt -noout -issuer
  • Display the valid from/valid to dates
openssl x509 -in url.crt -noout -dates

Check that a key and cert match

  • Find the modulus for both the cert and the key
openssl x509 -in url.crt -noout -modulus
openssl rsa -in url.key -noout -modulus

If they match, then the key is a pair with the certificate. See also Cert-Key_Match.

  • Convert a .pfx / pkcs12 to PEM

pkcs12 is a combined key / cert data format, to convert it to a pem:

openssl pkcs12 -in url.pfx -out url.pem -nodes

You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's

Test an SSL site

openssl s_client -connect

  • Check on a csr (Certificate Signing Request)
 openssl req -noout -text -in foo.csr 

  • Generate a csr (Certificate Signing Request)
openssl req -new -out foo.csr